| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Thanks to Run Mariboe for the contribution to Invoke-TokenManipulation
adding the -PassThru flag for newly created processes. Version increased
to 1.11.
|
|
Fixed a bug where calling GetProcAddress by ordinal instead of procedure
name failed.
Fixed a bug where reflectively loading an EXE will cause the entry
function (main()) to be called twice instead of once as expected.
Added a ForceASLR flag to force ASLR to be used even if the PE file
doesn't officially support ASLR.
Some minor other changes.
|
|
The latest version of Mimikatz fixes a crash that happens on Windows7/8
(and server versions) after installing the latest Windows updates.
|
|
Latest version of Mimikatz now natively supports being reflectively
loaded by Invoke-ReflectivePEInjection, updating the script to take
advantage of this new version.
|
|
|
|
|
|
|
|
Conflicts:
Recon/Get-ComputerDetails.ps1
Recon/Recon.psd1
|
|
|
|
Added printers.xml and drives.xml to the search.
|
|
|
|
Added the following recon functions written by Joe Bialek
(@JosephBialek):
- Find-4648Logons
- Find-4624Logons
- Find-AppLockerLogs
- Find-PSScriptsInPSAppLog
- Find-RDPClientConnections
- Get-ComputerDetails (Combines all of the above functions into a single
function)
|
|
This bug fix was from @jakxx
|
|
Removed unnecessary comment, merged update with printers.xml and drives.xml from @jackxx
|
|
All info gathering pieces of this script can now be called individually.
Fixed a bug where the user SID wasn't being converted to a username in
the RDP function.
|
|
|
|
It doesn't make sense to have these as separate ps1 files.
|
|
The function names New-UserPersistenceOption and
New-ElevatedPersistenceOptionNew-ElevatedPersistenceOption now conform
to PowerShell naming best practices.
|
|
Minor fixes for compatibility between versions
|
|
|
|
|
|
Used Select-XML to ensure compatibility with v2
|
|
Iterate version.
|
|
|
|
Bug fix of variables.
|
|
Thanks @obscuresec!
|
|
Get-ComputerDetails is a recon script which pulls a variety of useful
information off a computer which might later be useful by an attacker.
This includes:
Logons
AppLocker process start logs
PowerShell logs to find scripts run
RDP Client saved servers
|
|
|
|
Inject-LogonCredentials has been renamed to Invoke-CredentialInjection.
|
|
Added a check to ensure the script isn't being run from Session0 with
the "NewWinLogon" flag. This flag does not work in Session0 because
winlogon.exe tries to load stuff from user32.dll which requires a
desktop is present. This is not possible in Session0 because there is no
desktop/GUI, so it causes winlogon to load and then immediately close
with error code c0000142 indicating a DLL failed to initialize. There is
no way to fix this that I know of, if you need to run the script from
Session0 use the "ExistingWinLogon" flag.
|
|
|
|
This doesn't need to reside in PowerSploit. Those that are truly
paranoid should validate that the embedded executable in
Invoke-Mimikatz.ps1 is indeed mimikatz.
This was causing AV to flag upon downloading PowerSploit.
|
|
Update Invoke-ReverseDnsLookup.ps1
|
|
Added pipeline support and verbose statement.
|
|
The user should at least be made aware if they're using an unsupported
framework library version.
|
|
These are the compiled libs straight from
http://www.capstone-engine.org/download.html
|
|
|
|
|
|
* I also moved the contents of Get-CSDisassembly.ps1 into Capstone.psm1
|
|
Bug fixes for Invoke-TokenManipulation
|
|
Processes could not be started when the script was being run from
Session 0. The fix is to use the CreateProcessAsUserW function when
running in Session 0. This API requires SeAssignPrimaryTokenPrivilege
priviege, so for non-session0 calls I still use CreateProcessWithTokenW
which does not require special privileges.
|
|
|
|
|
|
|
|
|
|
* Refactor of C# capstone binding
* Now compatible in 32 and 64-bit PowerShell
|
|
Consider this to be an alpha release until the C# binding is published.
|
|
|
|
Adding Inject-LogonCredentials
|
|
|